Embed Size (px)
Citation preview
Social Engineering
Wali Memon
Wali Memon1
“You could spend a fortune purchasing
technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”
-Kevin Mitnick
Wali Memon2
What is Social Engineering?
� Uses Psychological Methods
� Exploits human tendency to trust
� Goals are the Same as Hacking
Wali Memon3
Why Social Engineering?
� Easier than technical hacking
� Hard to detect and track
Wali Memon4
The Mind of a Social Engineer
� More like actors than hackers
� Learn to know how people feel by observing their actions
� can alter these feelings by changing what they say and do
� make the victim want to give them the information they need
Wali Memon5
Approaches
� Carelessness
� Comfort Zone
� Helpfulness
� Fear
Wali Memon6
Careless Approach
� Victim is Careless
� Does not implement, use, or enforce proper countermeasures
� Used for Reconnaissance
� Looking for what is laying around
Wali Memon7
Careless Examples
�Dumpster Diving/Trashing
�Huge amount of information in the trash
�Most of it does not seem to be a threat
�The who, what and where of an organization
�Knowledge of internal systems
�Materials for greater authenticity
�Intelligence Agencies have done this for years
Wali Memon8
Careless Examples (cont.)
� Building/Password Theft
� Requires physical access
� Looking for passwords or other information left out in the open
� Little more information than dumpster diving
Wali Memon9
Careless Examples (cont.)
� Password Harvesting
� Internet or mail-in sweepstakes
� Based on the belief that people don’t change their passwords over
different accounts
Wali Memon10
Comfort Zone Approach
� Victim organization members are in a comfortable environment
� Lower threat perception
� Usually requires the use of another approach
Wali Memon11
Comfort Zone Examples
� Impersonation
�Could be anyone
�Tech Support
�Co-Worker
�Boss
�CEO
�User
�Maintenance Staff
�Generally Two Goals
�Asking for a password
�Building access - Careless Approach
Wali Memon12
Comfort Examples (cont.)
� Shoulder Surfing
� Direct Theft
� Outside workplace
� Wallet, id badge, or purse stolen
� Smoking Zone
� Attacker will sit out in the smoking area
� Piggy back into the office when users go back to work
Wali Memon13
Comfort Examples (cont)
� Insider Threats
� Legitimate employee
� Could sell or use data found by “accident”
� Result of poor access control
� Asking for favors from IT staff for information
� Usually spread out over a long period of time
Wali Memon14
Helpful Approach
� People generally try to help even if they do not know who they are
helping
� Usually involves being in a position of obvious need
� Attacker generally does not even ask for the help they receive
Wali Memon15
Helpful Examples
� Piggybacking
� Attacker will trail an employee entering the building
� More Effective:
� Carry something large so they hold the door open for you
� Go in when a large group of employees are going in
� Pretend to be unable to find door key
Wali Memon16
Helpful Examples (cont.)
� Troubled user
� Calling organization numbers asking for help
� Getting a username and asking to have a password reset
Wali Memon17
Fear Approach
� Usually draws from the other approaches
� Puts the user in a state of fear and anxiety
� Very aggressive
Wali Memon18
Fear Examples
� Conformity
� The user is the only one who has not helped out the attacker with this
request in the past
� Personal responsibility is diffused
� User gets justification for granting an attack.
Wali Memon19
Fear Examples (cont)
� Time Frame
� Fictitious deadline
� Impersonates payroll bookkeeper, proposal coordinator
� Asks for password change
Wali Memon20
Fear Examples (cont)
� Importance
� Classic boss or director needs routine password reset
� Showing up from a utility after a natural occurrence (thunderstorm,
tornado, etc)
Wali Memon21
Advanced Attacks
� Offering a Service
� Attacker contacts the user
� Uses viruses, worms, or trojans
� User could be approached at home or at work
� Once infected, attacker collects needed information
Wali Memon22
Advanced Attacks (cont)
� Reverse Social Engineering
� Attacks puts themselves in a position of authority
� Users ask attacker for help and information
� Attacker takes information and asks for what they need while fixing the
problem for the user
Wali Memon23
Combating Social Engineers
� User Education and Training
� Identifying Areas of Risk
� Tactics correspond to Area
� Strong, Enforced, and Tested Security Policy
Wali Memon24
User Education and Training
�Security Orientation for new employees
�Yearly security training for all employees
�Weekly newsletters, videos, brochures, games and booklets detailing incidents and how they could have been prevented
�Signs, posters, coffee mugs, pens, pencils, mouse pads, screen savers, etc with security slogans (I.e. “Loose lips sink ships”).
Wali Memon25
Areas of Risk
� Certain areas have certain risks
� What are the risks for these areas?
� Help Desk, Building entrance, Office, Mail Room, Machine room/Phone
Closet, Dumpsters, Intranet/Internet, Overall
Wali Memon26
Security Policy
� Management should know the importance of protecting against
social engineering attacks
� Specific enough that employees should not have to make judgment
calls
� Include procedure for responding to an attack
Wali Memon27
Conclusions
� Social Engineering is a very real threat
� Realistic prevention is hard
� Can be expensive
� Militant Vs. Helpful Helpdesk Staff
� Reasonable Balance
Wali Memon28
References
� Psychological Based Social Engineering, Charles Lively.
December 2003. SANS Institute. 10 September 2005.
http://www.giac.org/certified_professionals/practicals/gsec
/3547.php
� Sarah Granger, “Social Engineering Fundamentals: Part I”.
Security Focus. December 2001. 10 September 2005.
http://www.securityfocus.com/infocus/1527
� Sarah Granger, “Social Engineering Fundamentals: Part II”.
Security Focus. January 2002. 10 September 2005.
http://www.securityfocus.com/infocus/1533
Wali Memon29
